b"               \xc2\xa0\n\n               \xc2\xa0\n\n               \xc2\xa0     U.S.\xc2\xa0ENVIRONMENTAL\xc2\xa0PROTECTION\xc2\xa0AGENCY\xc2\xa0\n\n               \xc2\xa0     OFFICE\xc2\xa0OF\xc2\xa0INSPECTOR\xc2\xa0GENERAL\xc2\xa0\n               \xc2\xa0\n\n               \xc2\xa0\n\n\n\n                     EPA\xe2\x80\x99s Radiation and Indoor\n                     Environments National\n                     Laboratory Should Improve\n                     Its Computer Room\n                     Security Controls\n                     Report No. 12-P-0847               September 21, 2012\n\n\n\n\nScan this mobile\ncode to learn more\nabout the EPA OIG.\n\x0cReport Contributors:\t                              Rudolph M. Brevard\n                                                   Michael Goode\n                                                   Sabrena Stewart\n\n\n\n\nAbbreviations\n\nEPA           U.S. Environmental Protection Agency\nIT            Information Technology\nNIST          National Institute of Standards and Technology\nOAR           Office of Air and Radiation\nOIG           Office of Inspector General\nORD           Office of Research and Development\nRIENL         Radiation and Indoor Environments National Laboratory\nSP            Special Publication\n\n\n\n\n  Hotline\n  To report fraud, waste, or abuse, contact us through one of the following methods:\n\n  e-mail:    OIG_Hotline@epa.gov                      write:    EPA Inspector General Hotline\n  phone:     1-888-546-8740                                     1200 Pennsylvania Avenue NW\n  fax:       202-566-2599                                       Mailcode 2431T\n  online:    http://www.epa.gov/oig/hotline.htm                 Washington, DC 20460\n\x0c                        U.S. Environmental Protection Agency \t                                               12-P-0847\n                                                                                                     September 21, 2012\n                        Office of Inspector General\n\n\n                        At a Glance\n\nWhy We Did This Review              EPA\xe2\x80\x99s Radiation and Indoor Environments\nThe U.S. Environmental              National Laboratory Should Improve Its\nProtection Agency (EPA) Office      Computer Room Security Controls\nof Inspector General (OIG)\nconducted this audit to assess\nthe security posture and             What We Found\nin-place environmental controls\nof EPA\xe2\x80\x99s Radiation and Indoor       Our review of the security posture and in-place environmental controls of EPA\xe2\x80\x99s\nEnvironments National               Radiation and Indoor Environments National Laboratory computer room\nLaboratory computer room in         disclosed an array of security and environmental control deficiencies. These\nLas Vegas, Nevada. This audit       deficiencies greatly hinder the ability of the Office of Air and Radiation (OAR) to\nwas conducted in support of         safeguard critical information technology assets and associated data from the\nthe audit of EPA\xe2\x80\x99s directory        risk of damage and/or loss.\nservice system authentication\nand authorization servers.           Recommendations and Planned Agency Corrective Actions\n\nThis report addresses the           We recommended in our draft report that OAR remediate physical and\nfollowing EPA Goal or               environmental control deficiencies. In its response to the draft report, OAR\nCross-Cutting Strategy:             provided a corrective action plan with milestone dates to address agreed-upon\n                                    recommendations 1 through 5. OAR did not agree or disagree with\n\xef\x82\xb7 Strengthening EPA\xe2\x80\x99s               recommendation 6 because corrective actions required consultation with the\n  workforce and capabilities.       U.S. General Services Administration to identify a suitable resolution.\n\n                                    OAR subsequently submitted an updated status on agreed-upon corrective\n                                    actions. Based upon that status, corrective actions for recommendations 1\n                                    through 5 have been completed. In the updated status, OAR proposed an\n                                    alternative action of accepting the risks of not installing the emergency shut-off\n                                    valve for recommendation 6. OAR made this proposal because its initial\n                                    investigation suggested that compliance would be cost prohibitive and the local\n                                    fire code may make necessary modifications infeasible. OAR agreed to assume\n                                    the risks associated with that decision.\n\n                                    We consider recommendations 1 through 5 closed with agreed-upon corrective\n                                    actions complete. For recommendation 6, we accept OAR's proposal and have\n                                    updated it to reflect necessary steps OAR must undertake to implement the\n                                    proposed alternative action. Specifically, OAR management should update its\nFor further information, contact\n                                    information security plan to formally accept the risks for not meeting minimum\nour Office of Congressional and\nPublic Affairs at (202) 566-2391.   information systems security controls required by federal guidance. OAR\n                                    concurred with the update to recommendation 6. Although OAR has concurred\nThe full report is at:              with the recommendation change, we consider recommendation 6 unresolved\nwww.epa.gov/oig/reports/2012/       pending receipt of a corrective action plan with milestone completion dates.\n20120921-12-P-0847.pdf\n\x0c                      UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                                   WASHINGTON, D.C. 20460\n\n\n\n\n                                                                             THE INSPECTOR GENERAL\n\n\n\n\n                                       September 21, 2012\n\nMEMORANDUM\n\nSUBJECT:       EPA\xe2\x80\x99s Radiation and Indoor Environments National Laboratory\n               Should Improve Its Computer Room Security Controls\n               Report No. 12-P-0847\n\n\nFROM:          Arthur A. Elkins, Jr.\n\nTO:            Jim Jones\n               Senior Information Official\n               Office of Air and Radiation\n\n\nThis is our report on the subject audit conducted by the Office of Inspector General (OIG) of the\nU.S. Environmental Protection Agency (EPA). This report contains findings that describe the\nproblems the OIG has identified and corrective actions the OIG recommends. This report\nrepresents the opinion of the OIG and does not necessarily represent the final EPA position.\nFinal determinations on matters in this report will be made by EPA managers in accordance with\nestablished audit resolution procedures.\n\nAction Required\n\nThe Office of Air and Radiation (OAR) provided an acceptable corrective action plan and has\ncompleted agreed-upon corrective actions for recommendations 1 through 5. In OAR\xe2\x80\x99s response\nto the draft report, it neither agreed nor disagreed with recommendation 6. Subsequently, OAR\nproposed an alternative action to resolve recommendation 6. The OIG accepts OAR\xe2\x80\x99s proposed\nalternative action and has updated recommendation 6 to reflect necessary steps OAR must\nundertake to implement the proposed alternative action. However, we consider recommendation 6\nunresolved pending receipt of a corrective action plan with milestone completion dates.\n\nTherefore, in accordance with EPA Manual 2750, you are required to provide a written response\nto this report within 90 calendar days. You should include a corrective action plan for\nrecommendation 6, including milestone dates. Your response will be posted on the OIG\xe2\x80\x99s public\nwebsite, along with our memorandum commenting on your response. Your response should be\nprovided as an Adobe PDF file that complies with the accessibility requirements of Section 508\n\x0cof the Rehabilitation Act of 1973, as amended. The final response should not contain data that\nyou do not want to be released to the public; if your response contains such data, you should\nidentify the data for redaction or removal. We have no objections to the further release of this\nreport to the public. We will post this report to our website at http://www.epa.gov/oig.\n\nIf you or your staff have any questions regarding this report, please contact Rudolph M. Brevard,\nDirector, Information Resources Management Assessments, at (202) 566-0893 or\nbrevard.rudy@epa.gov; or Michael Goode, Project Manager, at (202) 566-0354 or\ngoode.michael@epa.gov.\n\x0cEPA\xe2\x80\x99s Radiation and Indoor Environments                                                                                      12-P-0847\nNational Laboratory Should Improve Its\nComputer Room Security Controls\n\n\n\n\n                                      Table of Contents \n\n   Purpose .......................................................................................................................    1\n\n\n   Background ................................................................................................................        1\n\n\n   Scope and Methodology ............................................................................................                 1\n\n\n   Findings ......................................................................................................................    2\n\n\n           Computer Room Servers Unsecured and Without Compensating Controls .......                                                 2\n\n           No Automatic Shutdown Capabilities for Power System ......................................                                3\n\n           Servers Exposed to Potential Water Damage .....................................................                           3\n\n\n   Recommendations .....................................................................................................              4\n\n\n   Agency Comments and OIG Evaluation\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6...                                                                           5\n\n\n   Status of Recommendations and Potential Monetary Benefits..............................                                           6\n\n\n\n\nAppendices\n   A Agency Response to Draft Report \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.                                                                             7\n\n\n   B Distribution \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6...............                                                                          10\n\n\x0cPurpose\n            The U.S. Environmental Protection Agency (EPA) Office of Inspector General\n            (OIG) conducted this audit to assess the security posture and in-place\n            environmental controls of EPA\xe2\x80\x99s Radiation and Indoor Environments National\n            Laboratory (RIENL) computer room in Las Vegas, Nevada. This audit was\n            conducted in support of the audit of EPA\xe2\x80\x99s directory service system\n            authentication and authorization servers.\n\nBackground\n            The RIENL protects the public and the environment by minimizing public\n            exposure to radiation and indoor air pollution through environmental\n            measurements, applied technologies, and education. The laboratory also provides\n            scientific and technical support for the Agency\xe2\x80\x99s radiation, ambient air quality,\n            and indoor environments programs at EPA headquarters and in the regions; other\n            federal agencies; tribal, state, and local governments; and private industry. The\n            laboratory is part of the Office of Air and Radiation (OAR).\n\nScope and Methodology\n            We performed this audit from January 2011 through April 2012 in accordance\n            with generally accepted government auditing standards. Those standards require\n            that we plan and perform the audit to obtain sufficient and appropriate evidence to\n            provide a reasonable basis for our findings and conclusions based on our audit\n            objectives. We believe that the evidence obtained provides a reasonable basis for\n            our findings and conclusions based on our audit objectives.\n\n            We conducted the on-site review of the computer room security posture and\n            in-place environmental controls at the RIENL in Las Vegas, Nevada, in March\n            2011. The criteria used for the review were derived from the National Institute of\n            Standards and Technology (NIST) Special Publication (SP) 800-53,\n            Recommended Security Controls for Federal Information Systems and\n            Organizations, \xe2\x80\x9cPhysical and Environmental Protection Security\xe2\x80\x9d control family.\n            We evaluated the RIENL computer room through inquiry, observation, and\n            review of documentation. At the time of our visit in March 2011, we met with\n            OAR representatives and shared our findings with them. While onsite for another\n            audit in September 2011, we met with OAR representatives to determine whether\n            the findings we identified in March 2011 had been remediated.\n\n            Prior OIG Reports\n\n            In EPA OIG Report No. 10-P-0059, EPA Needs to Improve Physical Security at\n            Its Offices in Las Vegas, Nevada, February 3, 2010 (2010 Report), we found that\n            the Office of Research and Development (ORD) operated the access control\n            system for EPA\xe2\x80\x99s Las Vegas offices, and granted personnel access to sensitive\n\n\n12-P-0847                                                                                       1\n\x0c            areas without proper authorization. We recommended that ORD develop and\n            implement procedures to ensure that all organizations are provided with the\n            information necessary to monitor and review the access to their space until offices\n            accept the responsibility from ORD. We also recommended that the Office of\n            Administration and Resources Management\xe2\x80\x99s Security Management Division\n            conduct an assessment of the physical security practices at EPA\xe2\x80\x99s Las Vegas\n            locations and conduct outreach to the Las Vegas offices to provide assistance.\n            EPA agreed with the findings and recommendations.\n\nFindings\n            RIENL computer room control deficiencies greatly reduce the ability of OAR to\n            safeguard critical IT assets and associated data from the risk of unauthorized\n            access, damage, and/or loss. In particular, physical access controls were not in\n            place to monitor access to critical IT assets. Also, the server room lacked\n            environmental controls to protect IT assets from potential loss or damage due to\n            power outages and water leaks. NIST prescribes the selection and implementation\n            of appropriate security controls for an information system, which represent the\n            management, operational, and technical safeguards or countermeasures employed\n            to protect the confidentiality, integrity, and availability of the system and its\n            information. Although OAR has taken steps to correct some of the weaknesses\n            noted during our initial site visit in March 2011, additional steps are needed. We\n            believe that OAR faces potential disruption of its operations if it does not correct\n            the identified weaknesses.\n\n            Computer Room Servers Unsecured and Without Compensating\n            Controls\n\n            In March 2011, we found that critical servers in the RIENL computer room were\n            not secured in locked cabinets to prevent unauthorized access. NIST SP 800-53\n            specifies that organizations should use lockable physical casings to protect\n            information system components from unauthorized physical access. We noted that\n            the cabinets were not locked because the rack-mounted IT assets exceeded the\n            length of the server cabinets, thereby preventing the cabinets from being locked\n            without potentially damaging the IT assets.\n\n            Additionally, management had not implemented compensating controls such as\n            video monitoring of the computer room to ensure the capability of identifying the\n            cause of a service disruption or to serve as a reference point to plan risk mitigation\n            procedures. NIST SP 800-53 recommends that organizations guard, alarm, and\n            monitor every physical access point to the facility where the information system\n            resides 24 hours per day, 7 days per week. The computer room is controlled by a\n            card access system. However, in our 2010 Report, we had noted weaknesses within\n            the card access system. As a result of this previously identified weakness and issues\n            identified during this audit, the OIG believes that video cameras are an additional\n            safeguard that will aid in monitoring personnel activity.\n\n\n12-P-0847                                                                                      2\n\x0c            We shared these findings with OAR representatives in March 2011. We also met\n            with OAR representatives in September 2011 to determine whether the office\n            took steps to address these weaknesses. During our subsequent walkthrough, we\n            noted that OAR had installed four new server cabinets to correct the previously\n            identified issue associated with the rack-mounted IT assets. All rack-mounted IT\n            assets now properly fit into the server cabinets. However, not all server cabinet\n            doors were locked. The unlocked server cabinet doors leave the servers and\n            associated IT assets vulnerable to unauthorized access, tampering, and/or theft.\n\n            Additionally, while conducting the September 2011 visit, we noted that a video\n            camera had been installed on the wall of the computer room. This camera appears\n            to monitor computer room entry/exit points and the server cabinets. This video is\n            monitored and recorded outside of the computer room. However, OAR\n            representatives could not provide us with any policies and/or procedures that\n            outline monitoring practices and responsibilities. NIST SP 800-53 specifies that\n            organizations should document physical and environmental protection procedures\n            that address purpose, scope, roles, and responsibilities. We could not test the new\n            video surveillance system because personnel responsible for the video\n            surveillance system were not available during our visit.\n\n            No Automatic Shutdown Capabilities for Power System\n\n            In emergency situations, RIENL\xe2\x80\x99s ability to shut down IT equipment in an orderly\n            fashion is limited. NIST SP 800-53 states that an organization should provide a\n            short-term uninterruptible power supply to facilitate an orderly shutdown of the\n            information system in the event of a primary power source loss. The possibility of\n            an orderly emergency shutdown is hindered by the lack of (1) a generator to\n            provide emergency power, (2) around-the-clock monitoring of the RIENL\n            computer room, and (3) an uninterruptible power supply with automated\n            shutdown capability.\n\n            OAR personnel indicated that once power is lost, its uninterrupted power supply\n            only provides 20 minutes of backup power to manually shut down IT equipment.\n            This short period during which back-up power is available, combined with the\n            lack of dedicated around-the-clock staff manning the computer room and the lack\n            of automatic shutdown capabilities, increases the likelihood that personnel will\n            not be able to perform an orderly shutdown of IT assets in the event of a power\n            loss. Inability to perform an orderly shutdown increases the risk of data loss.\n\n            Servers Exposed to Potential Water Damage\n\n            RIENL IT assets are at risk of damage due to accidental water leakage. The U.S.\n            Government Accountability Office, Federal Information System Controls Audit\n            Manual, specifies that environmental controls exist to help ensure that building\n            plumbing lines do not endanger the computer facility or, at a minimum, that\n\n\n\n12-P-0847                                                                                       3\n\x0c            shutoff valves and procedures exist and are known. The manual also points to the\n            need for water detectors on the floor of the facility. NIST SP 800-53 stipulates\n            that an organization should protect information systems from damage resulting\n            from water leakage by providing master shutoff valves that are accessible,\n            working properly, and known to key personnel. Server cabinets containing the IT\n            assets were located directly under the computer room\xe2\x80\x99s overhead sprinklers, and\n            the fire suppression system within the room is fully charged. Fully charged fire\n            suppression systems maintain water pressure at all times, and these pipes could\n            leak, especially at points where the sprinkler heads connect to the water pipes.\n            The computer room also did not have compensating controls, such as leak shields,\n            to protect these assets from potential water damage.\n\n            When organizations have a fully charged fire suppression system, the risk of water\n            damage from leaks may be mitigated by removing IT assets from areas directly\n            under sprinkler heads or pipes when possible. When it is not possible to relocate IT\n            assets to areas not directly under sprinkler heads and pipes, other compensating\n            controls such as leak shields attached to or above the cabinets should be utilized.\n\n            OAR does not have formal procedures related to monitoring potential water leaks\n            in the computer room, or for actions to be taken in the event of a water leak. In\n            addition, the computer room does not have a master shutoff valve for the water\n            pipes running through the computer room.\n\nRecommendations\n            We recommend that the Senior Information Official, Office of Air and Radiation:\n\n               1.\t Develop and implement computer room policies and procedures to ensure\n                   that server cabinets are locked at all times, except when IT assets are being\n                   worked on.\n\n               2.\t Develop and implement computer room policies and procedures related to\n                   video surveillance of the physical access to critical assets within the\n                   computer room including, but not limited to, detailed procedures that specify:\n\n                       a.\t   How long video footage should be maintained\n                       b.\t   How video surveillance reviews should be performed\n                       c.\t   How often video footage should be reviewed\n                       d.\t   The groups and persons responsible for reviewing video\n                             surveillance footage\n\n               3.\t Develop and implement computer room policies and procedures to limit\n                   water damage to the IT assets in the computer room, to include:\n\n                       a.\t 24 hours/day, 7 days/week monitoring\n                       b.\t Timely actions to be taken in the event of a water leak in the\n                           computer room\n\n\n12-P-0847                                                                                     4\n\x0c               4.\t Acquire and implement an uninterrupted power supply that will\n                   automatically perform an orderly shutdown of IT assets without manual\n                   intervention in the event of a long-term loss of power.\n\n               5.\t Move the server racks so that they are not directly under sprinkler heads or\n                   water pipes or, if that is not possible, install leak shields on or above the\n                   server racks directly under sprinkler heads or water pipes.\n\n               6.\t Install a master shutoff valve for the water pipes that flow through the\n                   computer room or update the local area network security plan to have the\n                   Authorizing Official formally accept the risks of operating the facility\n                   without installing the valve.\n\nAgency Comments and OIG Evaluation\n\n            OAR responded to our draft report and provided a corrective action plan with\n            milestone dates to address agreed-upon recommendations 1 through 5. OAR did\n            not agree or disagree with recommendation 6. Corrective actions for this\n            recommendation required consultation with the U.S. General Services\n            Administration because that office leases the OAR facility under review. This\n            response is provided in Appendix A.\n\n            OAR subsequently submitted an updated status on agreed-upon corrective actions.\n            Based upon the OIG review of the updated status of corrective actions and\n            supporting documentation, we consider recommendations 1 through 5 closed and\n            associated corrective actions complete. In the updated status, OAR proposed an\n            alternative action of accepting the risks associated with not installing the\n            emergency shut-off valve for recommendation 6. OAR made this proposal\n            because its initial investigation suggested that compliance would be cost\n            prohibitive and the local fire code may make modifications infeasible.\n\n            We accept OAR\xe2\x80\x99s proposal regarding recommendation 6 and have updated it to\n            reflect necessary steps OAR must undertake to implement the proposed\n            alternative action. Specifically, OAR management should update its information\n            security plan to formally accept the risks of not installing the emergency shut-off\n            valve as specified by NIST 800-53. OAR concurred with the update to\n            recommendation 6. Although OAR has concurred with the recommendation\n            change, we consider recommendation 6 unresolved pending receipt of a corrective\n            action plan with milestone completion dates.\n\n\n\n\n12-P-0847                                                                                     5\n\x0c                                 Status of Recommendations and\n                                   Potential Monetary Benefits\n\n                                                                                                                                 POTENTIAL MONETARY\n                                                    RECOMMENDATIONS                                                               BENEFITS (in $000s)\n\n                                                                                                                     Planned\n    Rec.    Page                                                                                                    Completion   Claimed    Agreed-To\n    No.      No.                          Subject                          Status1        Action Official              Date      Amount      Amount\n\n     1        4     Develop and implement computer room policies             C       Senior Information Official,\n                    and procedures to ensure that server cabinets are                Office of Air and Radiation\n                    locked at all times, except when IT assets are\n                    being worked on.\n\n     2        4     Develop and implement computer room policies             C       Senior Information Official,\n                    and procedures related to video surveillance of the              Office of Air and Radiation\n                    physical access to critical assets within the\n                    computer room including, but not limited to,\n                    detailed procedures that specify:\n                      a. How long video footage should be maintained\n                      b. How video surveillance reviews should be\n                         performed\n                      c. How often video footage should be reviewed\n                      d. The groups and persons responsible for\n                         reviewing video surveillance footage\n\n     3        4     Develop and implement policies and procedures to         C       Senior Information Official,\n                    limit water damage to the IT assets in the computer              Office of Air and Radiation\n                    room, to include:\n                      a. 24 hours/day, 7 days/week monitoring\n                      b. Timely actions to be taken in the event of a\n                         water leak in the computer room\n\n     4        5     Acquire and implement an uninterrupted power             C       Senior Information Official,\n                    supply that will automatically perform an orderly                Office of Air and Radiation\n                    shutdown of IT assets without manual intervention\n                    in the event of a long-term loss of power.\n\n     5        5     Move the server racks so that they are not directly      C       Senior Information Official,\n                    under sprinkler heads or water pipes or, if that is              Office of Air and Radiation\n                    not possible, install leak shields on or above the\n                    server racks directly under sprinkler heads or water\n                    pipes.\n\n     6        5     Install a master shutoff valve for the water pipes       U       Senior Information Official,\n                    that flow through the computer room or update the                Office of Air and Radiation\n                    local area network security plan to have the\n                    Authorizing Official formally accept the risks of\n                    operating the facility without installing the valve.\n\n\n\n\n1    O = recommendation is open with agreed-to corrective actions pending\n     C = recommendation is closed with all agreed-to actions completed\n     U = recommendation is unresolved with resolution efforts in progress\n\n\n\n\n12-P-0847                                                                                                                                               6\n\x0c                                                                                     Appendix A\n\n                   Agency Response to Draft Report\n\n\nMEMORANDUM\n\nSUBJECT:\t Response to Recommendations for Improving EPA\xe2\x80\x99s Radiation and Indoor\n          Environments National Laboratory (R&IENL) Computer Room Security Controls -\n          Project No. OMS-FY11-0009\n\nFROM:          Elizabeth Shaw\n               Acting Deputy Assistant Administrator\n\n\nTO:\t           Rudolph M. Brevard\n               Director, Information Resources Management Assessments\n\n\nThis document outlines solutions in concurrence to recommendations made in the OIG report,\ndated April 26, 2012, stating security controls at R&IENL need improvement.\n\nOIG recommendation # 1: Develop and implement computer room policies and procedures to\ninsure that server cabinets are locked at all times, except when IT assets are being worked on and\nregular maintenance performed.\n\nOAR Response: In concurrence with the above recommendation, a memorandum outlining\ncurrent R&IE computer server room security policies and procedures is in development. As\nnoted in the OIG report, R&IE IT personnel were aware of the issue and working on a\nremediation strategy prior/during/after the IG inspection. Server rack replacement cost and time\nfor completion has taken over one year.\n\nPlanned Completion Date:\nJune 29, 2012\n\nOIG recommendation # 2: Develop and implement computer room policies and procedures\nrelated to video surveillance of the physical access to critical assets within the computer room\nincluding, but not limited to, detailed procedures that specify:\na. How long video footage should be maintained\nb. How and when video surveillance reviews should be performed\nc. How often video footage should be reviewed\nd. The groups and persons responsible for reviewing video surveillance footage\n\n\n\n\n12-P-0847                                                                                          7\n\x0cOAR Response: In concurrence with the above recommendation, a CCTV SOP is in\ndevelopment to address policies and procedures related to the La Plaza CCTV system. This\nsystem resides in the R&IE GSS and is jointly managed with OCFO/LVFC providing services to\nall seven AA offices at the La Plaza Business Center. OAR/ORIA/RIE will work with\nOCFO/LVFC management and IT staff in order to meet this recommendation.\n\nPlanned Completion Date:\nJuly 31, 2012\n\nOIG recommendation # 3: Develop and implement policies and procedures to limit water\ndamage to the IT assets in the computer room, to include:\na. 24 hours/day, 7 days/week monitoring\nb. Timely actions to be taken in the event of water leak in the computer room\n\nOAR Response: In concurrence with the above recommendation, a memorandum outlining\ncurrent R&IE\xe2\x80\x99s Server Room Environmental System Control policies and procedures will be\ndeveloped. This memo will outline environmental controls currently available in the server room\nsuch as water, heat, and noise alerts and our automated 24/7 monitoring system.\n\nPlanned Completion Date:\nJune 29, 2012\n\nOIG recommendation # 4: Acquire and implement an uninterrupted power supply (UPS) that\nwill automatically perform an orderly shutdown of IT assets without manual intervention in the\nevent of a long-term loss of power.\n\nOAR Response: In concurrence with the above recommendation, a software and hardware\nsolution has been researched to implement an orderly shutdown on all compatible systems.\nRecently the primary server environment was migrated to a VM system. Prior to this migration,\ndue to the age of our servers, it was not possible to properly and efficiently implement this\nrecommendation.\n\nPlanned Completion Date:\nAugust 31, 2012\n\nOIG recommendation # 5: Move the server racks so that they are not directly under sprinkler\nheads or water pipes or, if that is not possible, install leak shields on or above the server racks\ndirectly under sprinkler heads or water pipes.\n\nOAR Response: In concurrence with the above recommendation, a sheet metal contractor has\nbeen contracted to design, construct and install water leak shields on all five server racks that are\ndirectly under sprinkler heads and water pipes.\n\nPlanned Completion Date:\nAugust 31, 2012\n\n\n\n\n12-P-0847                                                                                             8\n\x0cOIG recommendation # 6: Install a master shutoff valve for the water pipes that flow through\nthe computer room.\n\nOAR Response: R&IE server room is located in a space leased by GSA. Further research needs\nto be conducted by GSA in order to establish whether this recommendation is feasible for\nimplementation or if cost is prohibitive. Preliminary R&IE research indicates local city/county\nfire department policies may make this infeasible based on the current building infrastructure.\n\nPlanned Completion Date:\nTBD\n\ncc:    \tLarry Dollison\n       Mike Flynn\n       Ron Fraass\n       Reginald Slade\n       Maureen Hingeley\n\n\n\n\n12-P-0847                                                                                      9\n\x0c                                                                                Appendix B\n\n                                    Distribution\nOffice of the Administrator\nAssistant Administrator for Air and Radiation\nDeputy Assistant Administrator for Air and Radiation\nSenior Information Official, Office of Air and Radiation\nAgency Follow-Up Official (the CFO)\nAgency Follow-Up Coordinator\nGeneral Counsel\nAssociate Administrator for Congressional and Intergovernmental Relations\nAssociate Administrator for External Affairs and Environmental Education\nSenior Agency Information Security Officer\nDirector, Radiation and Indoor Environments National Laboratory, Office of Air and Radiation\nAudit Follow-Up Coordinator, Office of Air and Radiation\nInformation Security Officer, Office of Air and Radiation\n\n\n\n\n12-P-0847                                                                                  10\n\x0c"